Description
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters across multiple controllers, which are stored in the database and executed in users' browser sessions due to improper sanitization via Request::getRawParameter() or Request::getParameter() calls.
Published: 2026-04-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Script Execution
Action: Patch Immediately
AI Analysis

Impact

Pachno 1.0.6 is vulnerable to a stored cross‑site scripting flaw. Attackers can embed malicious HTML or JavaScript payloads in several POST parameters—value, comment_body, article_content, description, and message. These inputs are persisted to the database without proper sanitization when retrieved via Request::getRawParameter() or Request::getParameter() calls. Whenever a page renders these fields, the unsanitized content is executed in the victim's browser, enabling the attacker to run arbitrary client‑side scripts. This can lead to session hijacking, defacement, or data theft, impacting confidentiality, integrity, and availability for all users that view the affected content.

Affected Systems

Pachno 1.0.6, provided by the vendor Pachno.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity. Although EPSS and KEV information are not available, the stored nature of the flaw suggests that exploitation requires write access to the application, typically through an authenticated user, but the resulting script runs in any recipient’s browser. Given the lack of mitigation on the server side, this vulnerability is reasonably straightforward to exploit for attackers who can submit data, with the potential for widespread impact on users. Security teams should treat it as a priority to patch.

Generated by OpenCVE AI on April 13, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website for security updates for Pachno 1.0.6
  • If a patch is released, upgrade Pachno to the latest version immediately
  • If no patch is available, apply input validation to escape or strip script tags from the affected POST parameters before storage
  • Consider deploying Web Application Firewall rules to detect and block XSS payloads in form submissions
  • Monitor logs for XSS attempts and unusual user activity

Generated by OpenCVE AI on April 13, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters across multiple controllers, which are stored in the database and executed in users' browser sessions due to improper sanitization via Request::getRawParameter() or Request::getParameter() calls.
Title Pachno 1.0.6 Stored Cross-Site Scripting via Multiple Parameters
First Time appeared Pachno
Pachno pachno
Weaknesses CWE-79
CPEs cpe:2.3:a:pachno:pachno:1.0.6:*:*:*:*:*:*:*
Vendors & Products Pachno
Pachno pachno
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Pachno Pachno
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T18:58:35.894Z

Reserved: 2026-04-08T13:39:22.099Z

Link: CVE-2026-40038

cve-icon Vulnrichment

Updated: 2026-04-13T18:58:31.280Z

cve-icon NVD

Status : Received

Published: 2026-04-13T19:16:51.263

Modified: 2026-04-13T19:16:51.263

Link: CVE-2026-40038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:42Z

Weaknesses